Big Data demands and enterprise resource planning (ERP) systems are
now commonplace in the business environment and not restricted to
larger audit engagements. Auditors must deal with the lack of
transparency that automated systems create by placing computer
procedures and configurable controls between the auditor and data. To
facilitate data access and automation opportunities for auditors, the
AICPA Assurance Services Executive Committee (ASEC) has developed a
new set of data specifications, the Audit Data Standards (ADS), and is
exploring ways to work with vendors to facilitate the development of
semiautomated to fully automated audit tools.

By shifting the tool set, auditors and companies will be freed from
dependence on disparate data systems and repeated requests for data.
The audit program will become a mix of automated steps, manual
linkages, and auditor judgment that will improve the quality of
evidence and strengthen the assurance function. The result will be a
flexible, modular approach that can be adapted and expanded as the
environment changes.

THE AUDIT DATA STANDARDS (ADS)

Auditors often cite the process of requesting data as one of the
primary obstacles in completing their engagement. ASEC has developed
voluntary IT audit data standards that aim to address the issue by
creating a common data store that would replicate existing enterprise
data and make it accessible to auditors, either on a continuous or
periodic basis.

The goal behind ADS is to make data available on demand. As a start,
the AICPA has worked with companies, ERP vendors, and internal and
external auditors to understand what data they need.

The first release in this new ADS series included a set of base
standards, as well as ones covering the general ledger and accounts
receivable. These were designed with retail and commercial sectors in
mind. The second wave will fill out the rest of the “order-to-cash”
process, the “procure-to-pay” process, and the accounts payable
subledger. Plans are underway to develop other significant business
processes, then to tailor them for industry sectors (such as financial
services, health care, etc.). International differences may also be considered.

THE AUDIT PLAN

The traditional audit plan typically entails a series of preordered
steps with the objective of addressing a series of audit assertions,
relative to the value of assets and flow of resources. Higher-level
assertions are supported by a series of subassertions relating to
issues such as existence, completeness, valuation, and accuracy of the
organization’s transaction accounts.

Audit organizations have historically fulfilled this verification by
performing audit procedures mandated by a mixed set of GAAS, including
audit procedures based on prior experience, evaluation of controls,
and professional judgment. Many of these standards have been in place
since well before current technologies were available, advanced
analytic methods were developed, and data evolved into “Big(ger) Data.”

The modular audit, supported by data organized using ADS, will
transform the audit plan into a control program that uses a mix of
manual methods, automated modules, and defined decision points to
improve the assurance function in an evolutionary (not revolutionary)
path. The new audit plan is more detailed with more discrete steps
aimed at taking advantage of formalization and automation. The future
audit environment will be driven by the automated audit plan in
conjunction with IT systems (including ERPs), the extraction of data
according to the ADS into a common data repository, and audit apps
(see Exhibit 1).

INTEGRATING ANALYTICS WITH JUDGMENT

Integrating analytic methods and new technological evidence into
complex decision processes has been common in disciplines ranging from
medicine to astronomy. Decision-makers must understand the nature of
the evidence received, be willing to rely on it, and automate simple
decisions (while still controlling more complex decision structures).

The modular audit falls into this pattern and presents a quandary to
the auditor: what tools to use, what simple decisions to delegate,
what experience to formalize, and where to rely on intuition and
unstructured knowledge. Although there is a compelling case for the
modular audit, this audit is not mechanical but very much
decision-based and driven by humans.

Auditors should look at their existing audit program and objectives
as a master control program, which would guide the auditor on data to
be collected, tools to be used, and where traditional methods and
judgments should be employed.

The transition from an existing audit program to the more
comprehensive and informative master control program can follow these
steps (see Exhibit 1):

Identify audit assertions and procedures. Although
it is expected that many vendors will supply some preprogrammed
master control plans, many large firms will prefer to develop their
own programs. This will require the formalization of audit steps in
view of assertions and preplanning contingent on the outcome of the
prior steps.

Identify common data points and build a common data
repository. The proposed data standards will determine and
facilitate both data provisioning and applications usage. Most
common ERPs and popular accounting packages will eventually have a
common data repository layer provisioning the necessary data.

Develop automated audit apps based on the audit
plan. Audit programs are to be progressively automated with
the use of the common data repository and the adoption of a
progressive set of apps. Auditors will “link” the results with more
traditional audit evidence gathering, inference, and decision-making.

Deploy audit apps and audit by exception/trend analysis/risk
assessment. Adapt the audit program with the realities of
the audit findings by performing additional analyses, adding more
apps, and reevaluating the early steps. Human decision-making will
serve to glue together the pieces of evidence and analysis obtained
with the apps. This linkage will allow further formalization of
judgments, improved legal defensibility, and the formalization of
higher and higher forms of judgment.

Eventually, the audit will include intensive logging of the company’s
production activities, as well as of audit actions and outcomes. These
logs will help to clarify variations from original processes as well
as document and support the audit practices.

DEPLOYING AUDIT APPS

Audit “apps” are defined as formalized audit procedures that can be
performed by a computerized tool. An app may perform tasks as simple
as computing ratio analyses, or it may perform complex queries that
identify trends and allow auditors to drill down into the data to
discover the specific causes of an abnormal account or activity. Audit
apps are similar to computer-assisted audit tools (CAATs), but they
differ in that they are built around the common data repository and
are designed to be highly interchangeable. Furthermore, an online
community may be developed where auditors and developers can create
and share audit apps based on popular software tools. Audit apps may
consist of a script or procedure that compiles, analyzes, or presents
data in a number of formats, for example (see Exhibit 2):

Dashboard—provides a quick snapshot of a data state;

Analytic—statistical or summary procedure;

Query—pulls records matching specific criteria;

Trend—evaluates values over time;

Ratio—compares relationships of data;

Data matching—used to find duplicate or missing data; or

Classification—groups data elements on similar attributes.

Choosing or developing audit apps begins with the audit plan. An
audit plan covers many objectives and areas. Defining the key steps in
the audit, either from an existing audit plan or from scratch, allows
auditors to determine which audit procedures can be supported by
technology and which require more manual work, all of which require
the auditors’ judgment. As the audit plan is redefined in the current
context of the organization, new and different tests and functions
centered on the continuous flow of data are likely to be discovered.

Each audit app can run independently of, or in conjunction with,
other apps to provide assurance on the overarching accounting
information system. Most could be scheduled to run automatically on a
daily or weekly basis. Auditors may be able to choose audit apps that
fit their risk-based audit from an online community. They also may be
able to share tools they have developed and get feedback from other
auditors who are doing similar audit tasks. Ultimately, the auditors
would use a dashboard with indicators informing them of high-risk
business processes and alerting them when individual transactions
appear outside of acceptable materiality thresholds defined by the
auditors and included in audit apps.

Although apps as advocated here do not yet exist, many existing audit
applications from commercial software, from academic research efforts,
or from audit firm toolkits can be turned into apps. Piece by piece,
the modular audit can be developed and enhanced around these audit
apps and the common data store.

An automated audit eventually includes an increasing number of new
forms of audit evidence, which may include alerts from continuous
monitoring/audit procedures, analytic contingency tables (e.g., if
“event” occurs, initiate an additional audit module), or
forward-looking data from operations. In situations where there is a
reasonable suspicion that a company’s production data may have been
altered, additional controls (called metacontrols) can verify the
audit trail of system access and process logs for unusual behavior,
similar to network intrusion detection tools. The use of these
techniques relies on adequate logging and well-controlled super-user access.

AUDIT PRODUCTS IN THE FUTURE

The implementation of ADS will provide auditors with readily
accessible data in the application of audit apps and, combined with
partial automation of strategic functions within the audit, will free
auditors to use their professional expertise and judgment in more
productive and useful ways.

On the audit side, less time will be spent extracting, pairing, and
formatting data (which the automated process does for them), so
auditors can devote more time looking for trends, outliers, and
anomalies, and applying professional skepticism, including intuitive
skepticism. The auditor will be able to work with management to gather
additional audit support, resolve glaring issues, and develop a more
risk-based approach to the overall audit plan.

Organizations’ use of automated transaction and controls monitoring
also will create an opportunity for auditors to evaluate the audit
apps and monitoring techniques. Skilled auditors would evaluate the
status of the monitoring platform, the scope and appropriateness of
rules and analytics, and the functionality of specific rules. By
developing an understanding of the ADS and audit apps, both
technically and conceptually, the auditor will be in a position to
shift the audit program to include this controls evaluation.

The issuance of the ADS and its further development will bring the
vision of automation closer to reality, as multiple sources of audit
apps are expected to rapidly become available. Audit software vendors
have large libraries of scripts that can be developed into immediately
usable apps.

EXECUTIVE SUMMARY

As auditors gain greater access to data and audit
procedures that can be performed by a computerized tool, the
role of the audit will become more like a master control plan, which
includes greater automated controls and greater timeliness.

The audit environment requires auditors to be more
forward-looking and generate new methods and techniques for
evaluating enterprise data.

Given access to a common subset of audit-specific
data, as proposed by the AICPA Assurance Services Executive
Committee, auditors can overcome one of the main audit challenges to
an engagement—data access.

A community surrounding audit apps will encourage auditors to
develop and deploy better analytical tools. This allows
greater creativity and promotes understanding of underlying analytics
by the audit community.

Analytics are only part of the equation. As more work
is performed automatically, auditors will have the opportunity to
focus more on honing their judgment to the client’s environment. This
may require additional training for the auditors, but it will produce
higher-quality audits.

Miklos A. Vasarhelyi (miklosv@andromeda.rutgers.edu) is the KPMG Distinguished Professor of Accounting Information
Systems and director of the Rutgers Accounting Research
Center/Continuous Auditing & Reporting Laboratory (CARLAB) at
Rutgers University in New Brunswick, N.J. J. Donald Warren
Jr. (jwarren@hartford.edu) is an assistant professor at the University of Hartford in West
Hartford, Conn. Ryan A. Teeter (teeter@katz.pitt.edu) is a clinical assistant professor of accounting information
systems at the University of Pittsburgh. William R.
Titera (billtitera@gmail.com) is a retired partner at Ernst & Young LLP.

To comment on this article or to suggest an idea for another
article, contact Neil Amato, senior editor, at namato@aicpa.org or 919-402-2187.

The results of the 2016 presidential election are likely to have a big impact on federal tax policy in the coming years. Eddie Adkins, CPA, a partner in the Washington National Tax Office at Grant Thornton, discusses what parts of the ACA might survive the repeal of most of the law.